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HTTP Activity is essentially all web-based 
activity from a user’s internet browser (with 
some exceptions) 



It includes, web-surfing, Internet Searching 
(like Google), Mapping Website (Google 
Earth/Maps) etc. 
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HTTP Activity 




HTTP activity comes in two types: 




cnn.com Server 
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HTTP Activity Client-to-Server 





1 









GET ^3earcl»naEi=ur(iu*oi:deE = 3artJ30tJifiqfmu3harra^3t.aEt.=3*3cope=utclu*lirLfe=next.|KrTP/l. 1 
Acceot^ ^7* 

Referer 






Accept-Language^ en-us 
Ac c ep 



r 

jUser -Ag-entl Hozilla/4.Q (compatible; MSIE 6.0; Uindoifs CTT 5.1; SV1) 



Hl 

r< 






i 



Cookie! BBC-UID=b479a5f 4ad230a53063d513630203acb22634634a0e0bl64c45f 96ef c054c£950MoEilla%2f 4%2e0%20%23ct 



Cache-UontEQl: max-stale =u 



Host 

ITiTSTTFTTTB 1 

search.bbc.co.uk 



ri ■ i ■ i hi i ii nail hi in ■ ■■■ 



1 66303702E9A93546 | 




URL Path 


URL Args 



/search 



tab=urdu&order=SQrtbdh&q=musharraf&start=3£scope=urdu&link=next 



Search Terms 



Language 



■ i . i . 




Via 



musharraf 



TfTTrnrrrwwrnTrnTfWTm 



en 



Moiilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 ; SV1 ) 66B08702E9A9B546 



■ m ■■■■ ■ 







Referer 



"2 ! ■ ■ ■ ■ ■ ■ ■ 



fiwmwinwi'iwi r MWWTOwnriTnTyg^^ 



http: //search .bbc .co ,uk/search?tab=urdu&order=sortbath&q=musharraf &start=2&scope=urclu 




. 

' 




BBC-UID=b479a5f4ad230a53063d51 3630203acb22684634a0e0b164c45f98efc054cf950Mozills%2f4%2e0%20%28com 











. 
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User Activity is best described as meta- 
data from “communication based protocols” 
like Webmail, Chat, Web Forum, Voip etc. 
in which we have protocol processing 
capabilities like AppProc. 

It’s important to note that there are many 
applications that fall within this definition in 
which we do not currently have protocol 
processing capabilities 
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Most analysts will probably already be 
familiar with “User Activity” from MARINA 
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XKS runs the same software 
( Ap p P roc/We bProc/StarP roc) that is used 
to break out meta-data for MARINA 



In some cases, it’s actually the XKS at the 
front-end site that is feeding the meta-data 
to MARINA (the source will be ‘XKS’) 
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Since applications like web-mail are web- 
based, HTTP and User activity will contain 
information about the same session. 



While HTTP contains information about all 
web-based sessions, user activity contains 
information on “user activity protocols” in 
which we have identified and developed 
exploitation capabilities 



TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL 



TOP SECRET//COMINT//RELTO USA, AUS T CAN, GBR, NZL 



How the Search Forms Fit Together 




/ 



of all DNI sessions collected 
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Examples of traffic 



p 



Webmail (client side) 




Datetime 


Case Notation 


From IP 


To IP 


From Port 


To Port 


Proto co 


Length 


2009-06-17 12:02:27 


IRS1014A 




Iran) 


69, 


United States) 


37171 


80 


TCP 


1440 



Session 



Header (3) Meta (9) 



c 




»l 
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ID: sess_orig_proc 



Type: HTTP-GET ^ Printer Friendly Version 



D HI Display 



Raw Data DNI Format 



Services s? 



GET /rnc/rno dule s/un/ab C ont acts ?mcmmb=EI]X)bfi9ijm &. j sr and=9 3 0 37 S 07 &. r and=2 1 27 0 3 34 3 9 HITE/ 1 . 0 
Accept: */* 

Accept-Language: fa 

Referer: http ://us . rnc 57 5 . mail, y alio o . c onErnc/ sho wF older;_ylc=X3 oDMEBucniliob GROEE 9TAzM5 ODMwMT 

AyNwRhYwNkZWxNc2dz?mid=l_2 1 857_AERkxE]AANvjSi6wUQ7filZa4fY&fid=Ihbox&sort^date&o 
rder=up &startMid=3 6 &GlterBy= 
x-re que ste d- with: XMLHttpRe que st 

Accept-Encoding: gzip, deflate 

User- Agent: Mozilla/4. 0 (compatible ; MSIE 6. 0; Windows NT 5. 1 ; SV1 ; .NET CLR 2. 0. 50727) 

Ho st: us . me 575. mail, yaho o . c om 

Cookie: 



MG 



Y 



d=IvAXIF va YnF GnmIfzw3zB C WRe 2]UK ZLwwyoK SrjjKG0XVYaJhF95dLsZ5C0xleDlcTcaHS_vpi 

ad9XvB0emj5Rrl 

v=l 



v=l 

n=6 6k3gh6ns 5 51f 

l=c e7 0 c c 0 3_0 1 s qqx/o ( Y nho o lu gin id: 

P=m2g265i0 130 00000 ( Gender: male, Birth year: Postal code: 

i— hq 

lg=en-US ( Langnage/content: English) 
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Examples of traffic 



Webmail (server side) 




Datetime 


Case Notation 


From IP 


To IP 


From Po 


To Por 


Protoc 


Length 


2009-06-16 16:23:5 


rRIS021DO00000C 




m (= United State: 


91 


|i_ii Iran) 


80 


60310 


top 


179354 



Session 



Header (3) rieoa (5) Attadimsnts (£) 




DNI PRESENTER 




IB 




Enter text to search 



» 
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ID; sess_arig_proc 


ED Document Information 


Type: HTTP 


3a Printer Friendly Version 



=V 



DNI Display 



Raw Data DNI Format 



® HTTP Header Infonmiiion 



Content Type; H TTP/j Y aha o' We b mail 



Services ^ 



UIS Webmail Display 




MAIL Act “ r: 
c Sa ^ c Unknown 



Polder List 


Name 


Count 


Lib' 0” 
(1655) 


4035 


Drafts 

(5) 


5 


Sent 


831 



Message in folder: Inbox 


Fwd: Fw: 


SLt uiLs. 

* a m 


Tuesday, June 16, 2009 1:14 AM 




From: 
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( | D 0| 10) 1 00 1 1 00 1 I CO I 

100 1 I 001 tOOl W^y4riJ; 

1001 1001 1001 ^ 01 tOI Hi 

\ / 1 _ _ I Ai 
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1 101 OrJOOl 



j v 1 



01 lOtOlO IQ C 



J 101 



r i!j J Log of all DNI sessions collected 



\ 



Sessions 
from web 
based 



Sessions from 



rotocols 
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Examples of traffic 



MSN Messenger 




Datetime 


Case Notation 


From IP 


To IP 


From P To Pc 


Proto 


Length 




2009-06-16 16:1 TRS1014A 39, 




i— Z Iran) 65. 




f— United SI 51818 1863 


TCP 137 








Heads?' (3) Met: a (7) 




DNI PRESENTER 




20090616 161707Z 




@.y alio o . c om<msnp as sport > logge d m ini 



89. 



DNI Display Raw Data DNI Format 



MSN Messenger 
Message Display 


0 Display Status Messages 


□ Show Messages Only 


L Reverse 



Messages 



From 



To 



Message 



Size: Q (±J 



©y^hoo .com logging in 





Server Processing Time: 2 ms 


Data Load Time: 0 ms 


Type: MSN Mlesseriger 




Proiect Manager: M 




_ , 





Page Publisher: 

Version: 1 .4.0.3 

Build Date: Thu Feb 1 9 1 3:02:1 5 GMT 2009 



= DNI PRESENTER 




TOP 5ECR ET. COMINT. 2 0320108; 
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MSN Messenger 



f 





Ftfj I J _vt) of all DNI sessions collected 
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Examples of traffic 



Skype sessions: 




Dated me 


Case notation 


From IP 


To IP 


From Port 


To Port 


Protocol 


Length 


2009-06-ld 15:25:46 


IRS 10 14 B 




[H (2 Iran) 


89. 


HI (3 Switzerland) 


14414 


13510 


UDP 


179 



Session 



Header (3) >iei:.L (3) 



89. 

89. 



89. 




|< Skyp ells er> 
|<SkypeUser> 



SkypeTTser> 
|<SkypeUser> 




Enter text to search 



TOP SEC RETA'COM HIT H 20320 108 



ID: sess oriq proc 



has leather IP 



10.0.0.3 



Tv/nm FlFF/Flinarv £i Prinlnr Frinririlv Version 

c8 2814 c £5 ft" 0 5 77 6 < S kyp eNo de > 



seen jiym machine ID c 8 2814 cfbffD 57 7 5 < Skyp eN o d e > e 8 2814 c f 5 ft 0 5 77 6 < S kyp e N b de > 



seen with raa c tiiii e ID c 1 6 9 5fc 7fe efl 5 9 e < Skyp eN jo d e > 



has buddy 
client to server 
lagged in (mi 




<SkypeUser> 



89| 
89 1 



c8 2814 cE5ff05776< Skyp eNo de > 
c8 2814 c£5ff05776 < Skyp eNo de > 
c8 2814 c£5ff05776< Skyp eNo de > 
c8 2814 c£5ffD5776< Skyp eNo de > 



] 



seen with raa c hm e ID c 8 2 8 1 4 cf5ff0 j7 ‘ 7 6 < Skyp eN o d e > c 8 2814 c £5 fffl 5 77 6 < S kyp eNo de > _ 




Project Managen 
Page Publisher: 

Version: 1 .4.0.3 

Build Date: Thu Feb 1 9 13:02:1 5 GMT 2009 







ozone 



DNI PRESENTER 



TOP SEC RETACOM IHT /.'20320 108 
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I I |fjC<l 



i lull. II 



1 CO P Inn Id 
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f tiJJ _vg of all DNI sessions collected 
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The typical way to search HTTP Activity is to start with 



User Activity in MARINA. 

For example, we’ll start with this 16 June activity 



TS A TJSFRXD PHONE USER A 



20090616 143827Z 
20090616 143936Z 
20090616 144127Z 
20090616 1444Q9Z 
20090616 144427Z 
20090616 144715Z 
20090616 144715Z 
20090616 144715Z 
20090616 144715Z 
20090616 144715Z 
20090616 144715Z 




SkypeUser> 

SkypeUser> 

SkypeUser> 

SkypeUser> 

SkypeUser> 

SkypeUser> 




SkypeUser> 

SkypeUser> 

SkypeTJser> 

SkypeUser> 

SkypeUser> 



mmsmsm user b 



logged in (im) 89. 
logged in (im) 89. 
logged in (im) 89. 
logged in (im) 89. 
logged in (im) 89. 
logged in (im) 89. 







logged in (im) 89. 
logged in (im) 89. 
logged in (im) 89. 
logged in (im) 89. 
logged in (im) 89. 








20 0 90 616 1 447 17Z SkypeUs er> logged in (im) 89 . 

20090616 144717Z SkypeUser> logged in (im) 89. 



20090616 144713Z 
20090616 1449 5 0Z 




SkypeUser> 

SkypeUser> 



logged in (mi 
logged in (im) 



39. 

89. 
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Understand what is behind the II 







Ensure Activity on IP can be associated with 
Target 



Understand IP usage Dynamic/Static 

Research IP using Foxtrail/NKB 

Is it a Proxy, DVBLAN, Dial-Up, DSL, etc 

Is it Client to Server or Server to Client 

Still not sure? User Activity pull for 5 minute 
period on Foreign IP 
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MultiSearch on IP Address 







Let’s take what we used last week and do a Multi-Search to 
discover any web activity around the time the account was active 



E {z3 Search 
E Si Classic 
El Si MultiSearch 



C 



IP Addresses 



Mac Address 
=3 Username 
0 S Classic A-M 
Alert 

^ Black Berry 

^]Call Logs 
Caterer v DNI 
S Cellular DNI 
Cisco Passwords 
DNS 

Document Metadata 
Document Tagging 
Email Addresses 
Extracted Files 
Full Log DNI 
HTTP Activity 
IKE Parser 



IRC Cafe Ceo location 
Logins and Passwords 
S Micro plugin Metadata 









Datetime: 


Custom 


v 



Start: 



2009-06-16 



□ 



14:30 




Stop: 


2009-06-16 


□ 




16:30 


jh. 

Sfc 



IP Address: 





From 



IP Role: 0 To 

0 X-Forwarded-For 





V 


User Activity 


Search 




Phone Number Extractor 




Email Addresses 


Forms 




Extracted Files 


Clear 


V 


HTTP Activity 




* 


Full Log 






Web Proxy 
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Note the # of results for each search, compared 



the 28 MARINA results which was for the same 
IP address and same time frame 



My [Recent Results 












Help Actions T View | 


r 












Query Name 


Query Type 


Status 


Actions 


Num Results 

i i 


Num DBs 


m 


16 iune example 


user_activity 


finished 


MB 


0 


1 Of 1 


□ 


16 iune example 


fulljog 


finished 


MB 


3223 


1 of 1 




16 iune example 


httpjoarser 


finished 


MB 


2626 


1 of 1 
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HTTP Results 







Of interest we see visits to Web Pages like: 










wdi search: ^ranelection 
google search: tr* 1 ^ ^ 
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HTTP Results 







Notice how all of the HTTP GET requests were going to the 
same IP address even though they are for different web 
servers.... what’s going on here? 






Host 

integratedsearch.twitter.com 

www.bbc.co.uk 

www .ne wyorker .com 

newsimg.bbc.co.uk 

twitter.com 

www .f acebook .com 

static.twitter.com 

stats.bbc.co.uk 

visualscience .external .bbc .co .uk 

news.bbc.co.uk 

profile .ak .f acebook .com 



To IP To Port Count — 
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Analysis of 27 May Internet session of PK 
based target started in MARINA 



ISA 

20090527 0521 5 6Z 
20090527 052156Z 
20090527 0521 5 6Z 
20090527 052157Z 
20090527 052159Z 
20090527 052236Z 
20090527 052236Z 
20090527 052236Z 
20090527 052236Z 
20090527 052236Z 



USERID PHONE USER A 



Wcirmram user b 





iggmail. c om<google > k t logged in (email 116 
ail. c om<g o o gle > t logg e d in (email) 116 



ail.com<google> & logged in (email) 116 
yahoo > logged in (email) 116 





yahoo > 




<y alio p > 





yahoo > l* 




yahoo > w 




y aho o > 
y aho o > 






logge d in (email) 1 1 6 
1 pgge d in ( e m ail) 116. 
logged in (email) 1 1 6. 
logged in (email: 116. 
1 c-gge d in ( e m ail) 11 6 . 




tagged in (email) 116 




0 

0 

B 

B 

B 

0 

0 

0 

El 

ffl 
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The analyst then did an HTTP activity query to 
find all web surfing from that IP address within 
the same rough timeframe. 



0 _D Classic A-M 
Alert 



iil| BlackBerry 



Search: HTTP Activity 



Query Name; 2 7_m ay_acti vity 



CNE 

n^z] Call Logs 
iE| Category DNI 
Cellular DIMI 
Cisco Passwords 
DNS 

Document Metadata 
Document Tagging 
Email Addresses 
Extracted Files 
Full Log DNI 
HTTP Activity 
IKE Parser 



Justification : 



F'K IP address used by ct target 
in paksitan 



Datetime: 



Cu sto m 




Start; 


2009-05-27 


□ 


05:20 


sfy. 

V 


Stop; 


2009-05-27 


□ 


06:00 


A 



IP Address; 
IP Address: 
Pott: 
Pot; 





iigBH 


From v 






To v 






From v 






To v 





§ IRC Cafe Geo location 
Logins and Passwords 



i^d Micro plug in Metadata 

i iJln .“i.-..-..-.;.-. h i t 
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HTTP meta-data indicated possible Maktoob 
activity 



Datetime 


HTTP Tj 


Host 


URL Path 


2009-05-27 05:22:39 


get 


eNn.mflktorsb.ctmi 


ItiewMalctooDjliiamePagelm^oHes/lDgo.iing 


2009-05-27 05:22:45 


get 


cNn.m^ktoolx.cc»m 


0iewMakt,ODhJliomePagelm^gies/1my3.gif 


2009-05-27 05:22:45 


get 




'n«wM,ilctooh.1ionicP,iye!ini^fjs5iSJlmg4.yif 


2009-05-27 05:22:3$ 


get 


In. maktoob. com 


locflliz^lion.lmatj'e^locflltDolDar/ritlctfllj.tjrf 


2009-05-27 05:22:45 


get 


cNn.niflktooD.ccmi 


^ewM6ktoDl]<4iiomeP»gelm^yeSif1my1.yif 


2009-05-27 05:22:39 


get 


cdn. maktoob. com 


c, i li z al i onJl m, l yesiloc^ltoo Ilia r/grtJL Ct^b.glf 


2009-05-27 05:22:3$ 


get 


cNn.maktooD.goni 


, ! lt» ca li ZhII i onJl n i ay e s :1q ChI l_t a q II jar/N ay s ? a e .gif 



Fm Ci Fm City (IP) 
PK KARACHI 

PK KARACHI 
PK KARACHI 
PK KARACHI 
PK KARACHI 
PK KARACHI 
PK KARACHI 



To 0 To City (IP) Fm IP 

US HERNDON I l5| 

US HERIIDON 1161 

US HERIIDON 116. 

US HERIIDON 116. 

US HERIIDON 116. 

US HERNDON 116. 

US HERNDON 116. 
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MARINA didn’t show any Maktoob User: 






ISA 

20090527 05215SZ 
20090527 052156Z 
20090527 052156Z 
20090527 052157Z 
20090527 052159Z 
20090527 052236Z 
20090527 052236Z 
20090527 052236Z 
20090527 052236Z 
20090527 052236Z 



USERID PHONE USER_A AC lfmSWi USER_B 

c om<g o o gle > logg e d in (email) 116 

^^^^^pSlg:nail.cQm<google> t logged in (email) 116^| 

c om<google > fc logged in (email) 116^^ 
y all o o > logg e d in (email) 116 




yi ihoo> 




y alio o > 





yahoo > l* 




yahoo > w 




y aho o > 
y alio o > 



tr 



logge d in (email) 116. 
1 ogge d in ( e m ail) 1 1 6 J 
logged in (email) 1 1 6 1 



logged in (email) 1 1 6. 




1 ogge d in (etn ail) 116. 




logged in (email) 116 




s 

a 

B 

B 

B 

0 

0 

0 

0 

0 
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27 May User Activity Results 



XKS’s User Activity also didn’t show 
Maktoob activity 







Datetime End 



Search Value 



2 MH-05-27 05:23:53 
05 -21 05:23:53 
-05-27 05:23:53 
05 27 05:23:53 
05-27 05:30:07 





Realm 


Attribute Type 


Attribute Value 


Activity 


SyallQO 


yahoo 


B_cookie 


liogamu5517@sv 


loyinjwohmail 


gyahoo 


yahoo 


B_cookie 


hogamv5517@sv 


loyinjwohnnail 


gyahoo 


yahoo 


B_cookie 


hogamu55i7§sv 


loyin_wohmail 


gyahoo 


yahoo 


B_cookie 


liogamu5517@sv 


loginjwohmail 


gyahoo 


yahoo 


B_cookie 


|jsgamu5517@sv 


loginjwohmail 
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27 May HTTP Activity 







Was it just a visit to the Maktoob home page or 
was there an actual web-mail log-in? 



In most cases “active user” and “previous user” 
information from web-mail protocols comes 
from the cookie field. 

XKS HTTP Activity breaks out the entire cookie 
field, even if protocol analysis doesn’t know 
what each part means 
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27 May HTTP Activity 



Look at the full cell value: 




Cookie 



l,iny=ar; OAX=(IEcHOEocyiilAC5Lw; RMF0=G11M9BHi01 04311 |Q1 i04TPh; c=|>k 
In] “ — — 



hi 



I 

hi 

hi 

In 

In 

hi 

hi 

In 

In 

In 



ll!l| AlttDOOTIS 

View Session 

□ View Session (New Window) 

; — Show All Row Values 

Mark Metadata row as Important 



■c=l>k 
■c=|jh 
c=|ik 
; c=l>k 
: c=|>k 
; c=|ik 



5end to Agility Realtime 




>I047Px; 


Q Execute Persona Analysis Query 




c=l»k: _ 


Cell lMoqbis 


c=pk; _ 


^ Filters 


> 


c=l*h: _ 






c=pk; _ 


1=1 Show Full Cell Value 






c=l>h; _ 



Check where Cookie Equals 1ang=ar; QAX=dEcHCEo.. 
■C-j^ Un-Check where Cookie Equals lang = arj OAX = dEcHQEo. 



; £=l*k 
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TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL 




By looking at the full cookie, the analyst noticed 
what appeared to be the target’s username 



lmiy=nr; OAX=flEcH$EocyulAC5Lvtr; RMFD= 01 1 M^EHiOl #4311 |Oi MTPx; c=pk; littpil/ww uv.mnkt 



lanq = arj OAX=dEcHOEocyuIAC5Lw; RMFD=011M9BNi01043lI|01047Px; c=pk; 
_utma=206054 159.' 4027773062 198 129700. 1243400938. 1243400938, 1243401763.2; 
_utmb = 206054 159 . 1 . 10 . 124340 1768; 

utmz =206054159. 1243400938 .1.1. utrnca^i^iis^^tnnccn = (direct ) | utmcmd = (none ); 

st.rjtab = sport, ne ws, jokesN.e w, undefined; (mk^D^^^|)22 0 /o2C 0 /o22 124340 1282; 



RM AM = 0 lcen 16_1060 . 4aD066GG | ; _utmc = 206054159 




Cooli!flP*l =ar ; Q^X=dEcH0EocyulAC5Lw; RklFD=U’l1M9BNiOlU43ll|O1047PH; c=pk; htt|>:,'.'www.rr^ 



TOPSECRETWCOMINT7/RELTO USA, AUS, CAN, GBR, NZL 



i[! 



b 















b 



| 

b 

i- 

r 













TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL 



27 May HTTP Activity 




The content also shows the cookie value: 




GET i'lo c alization/'i s /to c aJization. utf- S . j s/2 0 0 9 i 5/2 6/8 9 9 9991 HTTP/ 1 . 1 
Accept: */* 

R efere r : http :// w eb 1 4 . makto o b . c om/mail2 . ne wlogin/c o trip o s e ■ 4 3 2 . p hp ? mn=9 5 6 8 S 0 04 5 

Ac c ep t-Latigu rig e : cti-u s 

Ac c ep t-Enc o ding: gap , deflate 

IT s er- Agent: Mosifla/4 . 0 (c omp atibl e ; MS EE- 6. 0: Wind o ws ITT 5.1; S' V 1 ) 

Ho st: c dn. makt o o b . c pm 

C onne cti o n: K e ep - Alive 

C o okie : 1 arig=ar 

GAX=dEcHQEo c^MC5Lw 

HBBb =0 1 1 M9BNiO 1 04 3jt| 0 1 04 3H| 0 1 047Px 

c=pk 

_utrna=2 06054 159.4 027773 062 198 1297 00. 1243400938. 1243400938. 1243401768.2 
_utmb=206054 1 59. 1 . 1 0. 1 243401768 

utmz=2 0 6 054159.12434 0 0 9 3 8 . 1 . 1 . utrnc sr={ dire c t) |utrnc c n=| dire c t) |utmcmd=(none) 
strjab=sp o renews j oke £ N" ew, undefine d 
ME LLD^^S 7, 1 2434 02 079 
RMAM=0 1 een.1 1 J060.4aD066GG| 
wlm_ut£- 3 =0 
wim_win do ws -1256=0 
_utaic=2 06054 159 

ME HD =JD hdV rr J 8 RRc4fWIF OAZ-ScTS 1 eTcs acjjdEBjMKtT 

logged=l 
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Why wasn’t this activity in MARINA or XKS’s 
User Activity (both fed by AppProc)? 

Because Protocol Exploitation hadn’t identified 
this particular Maktoob service 

Since it hadn’t been identified, AppProc could 
not produce meta-data and DECODEORDAIN 
was not producing permutations for strong 
selection 
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In this particular case, analysts from Protocol 
Exploitation were able to determine that the 
MKLLD= cookie was identifying the “previous 
user” but not the “active user” 
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Internet applications are dynamic, and protocol 
analysts are not able to identify and build 
capabilities to exploit every known application 



It’s important that target analysts use tools like 
XKS to aggressively develop their target to 
uncover applications that are previously 
unidentified or are not currently being 
processed properly 
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The Multi-Search page gives you the ability to search full log and 
HTTP activity based on an IP address at the same time 



E Sj Search 
E Si Classic 
El Si Multi Search 



C 



IP Addresses 



Mac Address 
1^1 Username 
0 S Classic A-M 
[J] Alert 
^ Black Berry 



£CNE 
SI Call Legs 
=E Category DNI 
S Cellular DNI 
Cisco Passwords 
DNS 

Document Metadata 
Document Tagging 
Email Addresses 
Extracted Files 
Full Log DNI 
HTTP Activity 
IKE Parser 



^3 IRC Cafe Ceo location 
Logins and Passwords 
S Micro plugin Metadata 



Simply enter in an IP address, choose any or all 
“roles” (ie. from/to/xff) and then choose what 
search forms you want. 



IP Address: 

IP Role: 

0 X-Fomarded-For 



0 From 
0 } To 



Search 




User Activity 

Phone Number Extractor 

Email Addresses 


Forms 




Extracted Files 


Clear 




HTTP Activity 




V 


Full Log 
Web Proxy 
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Who to contact 







If you discover examples that don’t seem to be 
processing correctly, don’t hesitate to contact 
the experts at traffichelp@nsa.ic.gov 
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